Smart factories lack smart security, warns Capgemini

Chris Middleton Profile picture for user cmiddleton July 13, 2022 Audio mode
Summary:
The latest Capgemini takes a swipe at smart-factory initiatives and explains why security is often lacking

Industrial technology concept and factory automation concept © metamorworks - Shutterstock
(© metamorworks - Shutterstock)

Smart factories are growing targets for cyberattacks, according to a report from multinational services and consultancy provider, Capgemini.

This is no surprise. But using figures from a survey of 950 manufacturers – 68% of which have smart factory initiatives – Capgemini finds that 40% have been hit by hostile attacks, nearly three-quarters of those in the past 12 months. This is a major concern, given existing strains on local and global supply chains.

Heavy industry is the biggest target (51% of respondents in this category have been attacked), followed by: big pharma and life sciences (44%); chemicals, including petrochemicals (39%); semiconductors and high-tech (39%); consumer products (38%); automotive (36%); and aerospace and defence (a surprisingly low 33%).

The report, Built to Defend – Smart and Secure: Why Smart Factories Need to Prioritize Cybersecurity, reveals that 79% of decision-makers think smart factories are at particularly high risk. But although they are aware of the threat, this isn’t translating into concerted remedial action.

Why is this? The report explains:

Many organizations we surveyed say their cybersecurity analysts are overwhelmed by the vast array of Operations Technology (OT) and Industrial Internet of Things (IIOT) devices they must track in their attempts to discover and disable attempted breaches of their security.

One reason for smart factories being a target in the first place is that they are in the vanguard of digital transformation programmes at scale, warns the report. In other words, they are lumbering elephants in the crosshairs of big guns – including those of hostile state forces.

However, hostile campaigns should also be seen in the context of rising attacks on supply chains, of every kind. These offer cascading effects of disruption and payback to attackers. Malicious attacks such as Kaseya, Log4j, and NotPetya, plus hardware-level incursions and utility attacks via code repositories have all been on the rise.

Other research in this area has pointed out that – as with specialist hardware in the healthcare sector – many industrial devices were never designed to be interconnected or exposed to the internet in the first place. Those plants can’t all be ripped out, updated and/or replaced at will, any more than hospital systems can.

For example, speaking in a 2022 WithSecure report on supply chain cybersecurity, that vendor’s security consultant Michael Weng explained:

We are still tangling with the legacy issues of devices that were never meant for the network or the internet and, as such, represent a clear and present danger.

Since they do not have modern, sufficient cybersecurity controls, they cannot protect themselves and so can’t protect our networks and other systems from them. In this way, they become a vector for adversaries to penetrate IoT and IT networks.

We need to close down those access points and reduce the attack surface.”

WithSecure added that organized breaches in any organization have knock-on effects in others: every security team has to investigate whether they have been affected too. In this sense, they are “truly insidious”, with global impacts in terms of wasted time, money, skills, and human resources.

Quoted in the Capgemini report, the cybersecurity lead at a major Indian automotive OEM adds:

All the security controls, such as maintenance and security-patch updates, are performed regularly by IT but, since the OT machines have a legacy system and hackers also want real-time information from the machines, hackers are changing the attack vector from IT to OT.

As a result, Capgemini explains that the security response needs to be comprehensive, top down, and organized at every tier. But it warns:

We found organizations in general to be inadequately prepared in terms of awareness, governance, protection, detection, and resilience. Our analysis indicates that governance is a particular area of concern, with this area demonstrating the lowest level of preparedness across multiple parameters.

A strategic approach

Key challenges in bringing smart-factory cybersecurity up to speed include:

  • A lack of collaboration between smart factory leaders and the Chief Security Officer

  • Not enough annual budget is being channelled into cybersecurity

  • And there is a failure to detect cyberattacks early, leading to a higher level of damage being inflicted on operations.

As is common with such surveys, Capgemini found a group of outlying leaders among its respondents. Seventy-four percent of this subset can recognize known attack patterns at an early stage in their deployment, compared to just 46% of other organizations. This is important, as attackers are learning to disguise hostile incursions as normal network traffic.

Meanwhile, 80% of leaders can respond to cybersecurity threats, compared with just 51% of laggards, while 72% of leaders can mitigate and reduce the impact of successful attacks, compared with 41% of others.

So, what defines some manufacturers as leaders, given the lack of clarity in these results?

The answer seems to be those that are taking a proactive, strategic approach to tackling the problem. For example, Unilever is building a registry of digital assets for each of its 300-plus plants, and working to isolate the impact of attacks at factory-floor level, protecting the wider organisation and systems.

But what can other business and IT leaders do to be better prepared? Capgemini says:

  • Perform an initial cybersecurity assessment of the whole organization

  • Build awareness of smart-factory cyber threats across the organization

  • Identify risk ownership for cyberattacks in smart factories

  • Establish a framework that monitors and facilitates smart-factory cybersecurity

  • Embed cybersecurity practices tailored to the smart-factory environment

  • And establish strong governance structures with rigorous oversight measures.

Good advice.

My take

For all of Capgemini’s strategic focus on smart factory initiatives, it has long been critical of these programmes – or at least, their poor success rates.

For example, a 2019 smart-factories report by the company found that only 14 percent of programmes were successful. This was because of the challenges of attempting, in effect, a green-field project in an ageing, legacy, active environment.

Further obstacles to success include: a lack of relevant skills at every level in the organization; the project’s scope; interoperability with legacy/OT systems; scaling the programme from an (often successful) proof of concept; and, again, cybersecurity.

  • In related news, a report published today by security specialist Barracuda, The State of Industrial Security in 2022, finds that over 94% of UK organizations have experienced some form of security incident in the last 12 months, including 98% of manufacturers. The most common attack vector was Web application attacks, reported by 42% of the 800 decision-makers surveyed. However, over one-third reported supply-chain attacks.

Loading
A grey colored placeholder image